The Cisco ACE 4710 Application Control Engine appliance and the Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers are a load-balancing and application-delivery solution for data centers. Multiple vulnerabilities exist in both products. These vulnerabilities are independent of each other. A device may be affected by one vulnerability and not affected by another. The following information provides the details about each of the vulnerabilities that are addressed in this advisory:

RTSP Inspection DoS Vulnerability
#################################

The RTSP is used by RealAudio, RealNetworks, Apple QuickTime 4, RealPlayer, and Cisco IP/TV connections. RTSP applications use the well-known port 554 with TCP and UDP as the control channel. The module and the appliance only support RTSP over TCP. The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine contain a DoS vulnerability that can be exploited by an unauthenticated attacker while sending crafted RTSP packets. Only devices with RTSP inspection enabled are affected. RTSP inspection is disabled by default. Note: A TCP three-way handshake is needed in order to exploit this vulnerability. Only transit traffic can trigger this vulnerability; traffic that is destined to the affected device will not trigger the vulnerability. This vulnerability is documented in these Cisco Bug IDs and has been assigned these Common Vulnerability and Exposures (CVE) IDs:

The ACE performs a stateful deep packet inspection of the HTTP protocol. Deep packet inspection is a special case of application inspection where the ACE examines the application payload of a packet or a traffic stream and makes decisions based on the content of the data. During HTTP deep inspection, the main focus of the application inspection process is on HTTP attributes such as the HTTP header, the URL, and to a limited extent, the payload. User-defined regular expressions can also be used to detect "signatures" in the payload. The Cisco ACE 4710 Application Control Engine contains a DoS vulnerability that can be exploited by an unauthenticated attacker while sending crafted HTTP packets. Devices with HTTP, RTSP, or SIP inspection enabled are affected. HTTP, RTSP, and SIP inspection are disabled by default. Note: The Cisco ACE Application Control Engine Module is not affected by this vulnerability. A TCP three-way handshake is needed in order to exploit thi s vulnerability. Only transit traffic can trigger this vulnerability; traffic that is destined to the affected device will not trigger this vulnerability. This vulnerability is documented in Cisco Bug ID CSCtb54493 ( registered customers only) and has been assigned the CVE ID CVE-2010-2823.

SSL DoS Vulnerability
#####################

The Cisco ACE Application Control Engine Module contains a DoS vulnerability that can be exploited by an unauthenticated attacker while sending a series of SSL packets. The Cisco ACE 4710 Application Control Engine appliance is not affected by this vulnerability. Note: A TCP three-way handshake is needed in order to exploit this vulnerability. Only traffic that is destined to the affected device can trigger this vulnerability; transit traffic will not trigger this vulnerability. Note: The Cisco ACE 4710 Application Control Engine appliance is not affected by this vulnerability. This vulnerability is documented in Cisco Bug ID CSCta20756 ( registered customers only) and has been assigned the CVE ID CVE-2010-2824.

SIP Inspection DoS Vulnerability
################################

SIP is used for call handling sessions, especially two-party conferences. The Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine contain a DoS vulnerability that can be exploited by an unauthenticated attacker while sending crafted SIP packets. Only devices with SIP inspection enabled are affected. SIP inspection is disabled by default. Note: TCP or UDP SIP packets may cause a device reload. If TCP is used, a TCP three-way handshake is needed in order to exploit this vulnerability. Only transit traffic can trigger this vulnerability; traffic that is destined to the affected device will not trigger this vulnerability. This vulnerability is documented in these Cisco Bug IDs and has been assigned these CVE IDs:

Workaround:
In addition to the recommendations described below, mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100811-ace.shtml.

RTSP Inspection DoS Vulnerability: This vulnerability can be mitigated by disabling RTSP inspection if it is not required. RTSP inspection is disabled by default. Administrators can disable RTSP inspection by issuing the no inspect rtsp command under the respective policy map. Note: This workaround is only feasible if RTSP inspection is not needed or required in a load-balancing deployment.

HTTP, RTSP, and SIP Inspection DoS Vulnerability: This vulnerability can be mitigated by disabling HTTP, RTSP, and SIP inspection if they are not required. HTTP, RTSP, and SIP inspection are disabled by default. Administrators can disable HTTP inspection by issuing the no inspect http command under the respective policy map. Administrators can disable RTSP inspection by issuing the no inspect rtsp command under the respective policy map. Administrators can disable SIP inspection by issuing the no inspect sip command under the respective policy map. Note: This workaround is only feasible if HTTP, RTSP, and SIP inspections are not needed or required in a load-balancing deployment.

SSL DoS Vulnerability: There are no workarounds available to mitigate this vulnerability.

SIP Inspection DoS Vulnerability: This vulnerability can be mitigated by disabling SIP inspection if it is not required. SIP inspection is disabled by default. Administrators can disable SIP inspection by issuing the no inspect sip command under the respective policy map. Note: This workaround is only feasible if SIP inspection is not needed or required in a load-balancing deployment.